Hey Bugtraq,
I'm re-sending this to the list, 'cause for some reason my previous email
didn't go through... Here's further information about the OpenSSH timing
leak i recently found on SUSE systems, plus some news and considerations
about possible solutions.
First of all, i finally managed
Marco Ivaldi wrote:
It needs expect, and target ssh hostkey must be already added. I'd be
very interested in knowing the results of tests performed on other
distros and configurations.
Hi Marco,
nice to meet you :-). I tried to do this test over my 10 Mbps lan and
this is the result:
Hey again,
I know quoting myself is bad form, but i just wanted to clarify a few
points about my recent OpenSSH timing leak post;)
Here we are again... During a recent penetration test i stumbled upon
yet another OpenSSH timing leak, leading to remote disclosure of valid
usernames. It's
Hello Bugtraq,
Here we are again... During a recent penetration test i stumbled upon yet
another OpenSSH timing leak, leading to remote disclosure of valid
usernames. It's not as big as the one i found in the past (CVE-2003-0190),
but it can indeed be exploited over the Internet, nevertheless
